shibboleth-dev - Re: TLS to LDAP?
Subject: Shibboleth Developers
List archive
- From: Jim Fox <>
- To: Walter Hoehn <>
- Cc:
- Subject: Re: TLS to LDAP?
- Date: Wed, 15 Dec 2004 11:44:02 -0800 (PST)
(Keep in mind that I am not a java expert. Corrections to any misunderstandings here are welcome.)
The gist is that TLS has to be negotiated. We are also using a
SASL mechanism on the LDAP servers. The code corresponding to
JNDIDirectoryDataConnector.java, around line 220, looks like:
LdapContext context = null;
StartTlsResponse tls = null;
try {
context = new InitialLdapContext(properties, null);
/* Start TLS */
tls = (StartTlsResponse)
context.extendedOperation(new StartTlsRequest());
tls.negotiate();
context.addToEnvironment(Context.SECURITY_AUTHENTICATION, "EXTERNAL");
NamingEnumeration nEnumeration = null;
...
and there is a tls.close() later. I can send you or the list either
the new plugin or a diff from JNDIDirectoryDataConnector if you like.
TLS is not SSL, but does get the principal name from the certificate,
so the xml elements for "security.protocol", "security.principal",
and "security.credentials" are not used.
In addition, as far as I can tell, the certificate properties
associated with TLS authentication, e.g., javax.net.ssl.keyStore,
are global and cannot be set on a per-connection basis. I think
that's true even if the code does the setProperty, rather than
doing it by a JAVA_OPTS setting in tomcat.
I also encountered a conflict if I tried to connect to one LDAP
server with SSL and id/password auth and to a second LDAP server
with TLS auth. The keystore property settings seemed to override
the password auth. Having both LDAPs use TLS worked fine.
I'm using java 1.5.0.
Jim
On Wed, 15 Dec 2004, Walter Hoehn wrote:
Date: Wed, 15 Dec 2004 13:13:04 -0600
From: Walter Hoehn
<>
To: Jim Fox
<>
Cc:
Subject: Re: TLS to LDAP?
Hi Jim,
We certainly want to support this configuration. Can you be specific about what your connector had to do differently? The shib-supplied JNDI connector should be able to pass-through any property to the Sun ldap provider.
-Walter
On Dec 15, 2004, at 11:49 AM, Jim Fox wrote:
We want to allow our attribute resolver to contact a couple of
LDAP servers that use the TLS protocol - instead of simple SSL.
The stock JNDIDirectoryDataConnector did not appear to be able to
handle TLS, so we installed a custom connnector.
Am I correct about this? If there is a different way to do
TLS to an LDAP server somebody please tell me. We also
authenticate with certificates, instead of passwords.
Otherwise, TLS seems like a natural protocol to support.
The standard JNDI connector could easily be adapted to do so.
Might this be added?
Jim
- TLS to LDAP?, Jim Fox, 12/15/2004
- Re: TLS to LDAP?, Walter Hoehn, 12/15/2004
- Re: TLS to LDAP?, Jim Fox, 12/15/2004
- Re: TLS to LDAP?, Walter Hoehn, 12/22/2004
- Re: TLS to LDAP?, Jim Fox, 12/22/2004
- Re: TLS to LDAP?, Walter Hoehn, 12/22/2004
- Re: TLS to LDAP?, Jim Fox, 12/22/2004
- Re: TLS to LDAP?, Walter Hoehn, 12/22/2004
- Re: TLS to LDAP?, Jim Fox, 12/15/2004
- Re: TLS to LDAP?, Walter Hoehn, 12/15/2004
Archive powered by MHonArc 2.6.16.